From 5fb6373172b0660cfe51254d511020c1e484366a Mon Sep 17 00:00:00 2001
From: Leandro Nunes dos Santos <leandronunes@gmail.com>
Date: Wed, 3 Jun 2015 15:37:47 -0300
Subject: [PATCH] consider permission to close tasks

---
 app/controllers/my_profile/tasks_controller.rb |  6 +++---
 test/functional/tasks_controller_test.rb       | 28 ++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/app/controllers/my_profile/tasks_controller.rb b/app/controllers/my_profile/tasks_controller.rb
index 61f3b16..874e59c 100644
--- a/app/controllers/my_profile/tasks_controller.rb
+++ b/app/controllers/my_profile/tasks_controller.rb
@@ -1,7 +1,7 @@
 class TasksController < MyProfileController
 
-  protect [:perform_task, :view_tasks], :profile, :only => [:index]
-  protect :perform_task, :profile, :except => [:index]
+  protect [:perform_task, :view_tasks], :profile, :only => [:index, :save_tags]
+  protect :perform_task, :profile, :except => [:index, :save_tags]
 
   def index
     @filter_type = params[:filter_type].presence
@@ -103,7 +103,7 @@ class TasksController < MyProfileController
 
       ActsAsTaggableOn.remove_unused_tags = true
 
-      task = Task.find_by_id params[:task_id]
+      task = profile.tasks.find_by_id params[:task_id]
       save = user.tag(task, with: params[:tag_list], on: :tags)
 
       if save
diff --git a/test/functional/tasks_controller_test.rb b/test/functional/tasks_controller_test.rb
index ade85b0..049d121 100644
--- a/test/functional/tasks_controller_test.rb
+++ b/test/functional/tasks_controller_test.rb
@@ -671,4 +671,32 @@ class TasksControllerTest < ActionController::TestCase
     assert_not_includes task_two.tags_from(nil), 'noosfero'
   end
 
+  should 'not tag task without permission' do
+    Role.delete_all
+    requestor = fast_create(Person)
+    community = fast_create(Community)
+    community.add_member(person)
+
+    @controller.stubs(:profile).returns(community)
+    task_one = Task.create!(:requestor => requestor, :target => community, :data => {:name => 'Task Test'})
+
+    post :save_tags, :task_id => task_one.id, :tag_list => 'test'
+
+    assert_not_includes task_one.tags_from(nil), 'test'
+  end
+#region_validators_controller_test.rb:    give_permission('ze', 'manage_environment_validators', environment)
+#profile_editor_controller_test.rb:    user2.stubs(:has_permission?).with('edit_profile', anything).returns(true)
+#profile_editor_controller_test.rb:    user2.expects(:has_permission?).with(:manage_friends, anything).returns(true)
+
+  should 'not tag task with permission but another user' do
+    requestor = fast_create(Person)
+    target = fast_create(Person)
+
+    task_one = Task.create!(:requestor => requestor, :target => target, :data => {:name => 'Task Test'})
+
+    post :save_tags, :task_id => task_one.id, :tag_list => 'test'
+
+    assert_not_includes task_one.tags_from(nil), 'test'
+  end
+
 end
--
libgit2 0.21.2